Current Issue : April - June Volume : 2014 Issue Number : 2 Articles : 5 Articles
The manual forensics investigation of security incidents is an opaque process that involves the collection and\r\ncorrelation of diverse evidence. In this work we first conduct a complex experiment to expand our understanding of\r\nforensics analysis processes. During a period of 4 weeks, we systematically investigated 200 detected security\r\nincidents about compromised hosts within a large operational network. We used data from four commonly used\r\nsecurity sources, namely Snort alerts, reconnaissance and vulnerability scanners, blacklists, and a search engine, to\r\nmanually investigate these incidents. Based on our experiment, we first evaluate the (complementary) utility of the\r\nfour security data sources and surprisingly find that the search engine provided useful evidence for diagnosing many\r\nmore incidents than more traditional security sources, i.e., blacklists, reconnaissance, and vulnerability reports. Based\r\non our validation, we then identify and make publicly available a list of 165 good Snort signatures, i.e., signatures that\r\nwere effective in identifying validated malware without producing false positives. In addition, we analyze the\r\ncharacteristics of good signatures and identify strong correlations between different signature features and their\r\neffectiveness, i.e., the number of validated incidents in which a good signature is identified. Based on our experiment,\r\nwe finally introduce an IDS signature quality metric that can be exploited by security specialists to evaluate the\r\navailable rulesets, prioritize the generated alerts, and facilitate the forensics analysis processes. We apply our metric to\r\ncharacterize the most popular Snort rulesets. Our analysis of signatures is useful not only for configuring Snort but also\r\nfor establishing best practices and for teaching how to write new IDS signatures....
The Internet is an essential tool for everyday tasks. Aside from common use, the option to browse the Internet\r\nprivately is a desirable attribute. However, this can create a problem when private Internet sessions become hidden\r\nfrom computer forensic investigators in need of evidence. Our primary focus in this research is to discover residual\r\nartifacts from private and portable web browsing sessions. In addition, the artifacts must contain more than just file\r\nfragments and enough to establish an affirmative link between user and session. Certain aspects of this topic have\r\ntriggered many questions, but there have never been enough authoritative answers to follow. As a result, we\r\npropose a new methodology for analyzing private and portable web browsing artifacts. Our research will serve\r\nto be a significant resource for law enforcement, computer forensic investigators, and the digital forensics\r\nresearch community....
In this paper, we present a novel approach to IP traceback - deterministic flow marking (DFM). We evaluate this novel\r\napproach against two well-known IP traceback schemes. These are the probabilistic packet marking (PPM) and the\r\ndeterministic packet marking (DPM) techniques. In order to do so, we analyzed these techniques in detail in terms of\r\ntheir performances and feasibilities on five Internet traces. These traces consist of Darpa 1999 traffic traces, CAIDA\r\nOctober 2012 traffic traces, MAWI December 2012 traffic traces, and Dal2010 traffic traces. We have employed 16\r\nperformance metrics to evaluate their performances. The empirical results show that the novel DFM technique can\r\nreduce the number of marked packets by 91% compared to the DPM, while achieving the same or better\r\nperformance in terms of its ability to trace back the attack. Additionally, DFM provides an optional authentication so\r\nthat a compromised router cannot forge markings of other uncompromised routers. Unlike PPM and DPM that trace\r\nthe attack up to the ingress interface of the edge router close to the attacker, DFM allows the victim to trace the origin\r\nof incorrect or spoofed source addresses up to the attacker node, even if the attack has been originated from a\r\nnetwork behind a network address translation (NAT) server. Our results show that DFM can reach up to approximately\r\n99% traceback rate with no false positives....
Nowadays Data Security has gained the focus of all because of data transfer facilities available on internet like file transfer, cloud storage and E Commerce. But data transfer using internet is a very risky affair. For achieving data security two popular techniques are Encryption and Steganography. Steganography can protect both messages and communicating parties whereas cryptography protects the contents of a message only. In the field of steganography, mobile application based steganography is new type of steganography and it have many advantages over other steganography techniques. One prominent advantage is its high payload capacity and mobility. In this paper we implement a Mobile Apps Based Steganography Technique in a Maze game mobile application and compare the results based on various criteria of mobile application based steganography technique with other steganography techniques available on mobile platform like SMS based and MMS based techniques. Millions of Mobile Apps are downloaded on mobile phones daily from all part of world. This technique is implemented on J2ME platform; Mobile Application is a Maze game and it is tested on Nokia Supernova 7610 series phones....
Recent studies exposed the weaknesses of scale-invariant feature transform (SIFT)-based analysis by removing\r\nkeypoints without significantly deteriorating the visual quality of the counterfeited image. As a consequence, an\r\nattacker can leverage on such weaknesses to impair or directly bypass with alarming efficacy some applications that\r\nrely on SIFT. In this paper, we further investigate this topic by addressing the dual problem of keypoint removal, i.e.,\r\nthe injection of fake SIFT keypoints in an image whose authentic keypoints have been previously deleted. Our interest\r\nstemmed from the consideration that an image with too few keypoints is per se a clue of counterfeit, which can be\r\nused by the forensic analyst to reveal the removal attack. Therefore, we analyse five injection tools reducing the\r\nperceptibility of keypoint removal and compare them experimentally. The results are encouraging and show that\r\ninjection is feasible without causing a successive detection at SIFT matching level. To demonstrate the practical\r\neffectiveness of our procedure, we apply the best performing tool to create a forensically undetectable copy-move\r\nforgery, whereby traces of keypoint removal are hidden by means of keypoint injection....
Loading....